CN103491543A - Method for detecting malicious websites through wireless terminal, and wireless terminal - Google Patents

Abstract

The invention discloses a method for detecting a malicious website through a wireless terminal and a wireless terminal. The method includes: the wireless terminal receives a web page access request sent by the client terminal; the wireless terminal checks whether the website is a malicious website by querying the local blacklist and/or local whitelist fixed in the wireless terminal or querying through the cloud; if When the wireless terminal detects that the URL is a malicious URL, the wireless terminal generates a malicious URL reminder interface, and then returns the malicious URL reminder interface to the client. The malicious website detection function of the present invention is completed by the wireless terminal. Under certain circumstances, the wireless terminal can know whether the webpage accessed by the user is a malicious webpage without accessing the cloud. higher efficiency.

Description

Method for detecting malicious website through wireless terminal, wireless terminal

technical field

The invention relates to the technical field of the Internet, in particular to a method for detecting a malicious website through a wireless terminal and a wireless terminal.

Background technique

Phishing websites or fraudulent websites mainly fake the URL address or page content of the real website, pretend to be banking and e-commerce websites, or use the loopholes in the real website server program to open certain webpages of the website. Insert dangerous webpage codes into the website to defraud users of personal information such as bank or credit card account numbers and passwords. Phishing webpages contain many sensitive features. For example, financial fraudulent phishing webpages will imitate the official website in terms of text and pictures, or insert information such as fake ticketing, fake lottery winning, fake online banking, and fake shopping into real webpages. Features mostly appear in web pages in the form of text strings.

The current method for identifying phishing/fraudulent webpages is mainly through manual review to collect some simple text features of phishing webpages for the browser plug-in to judge the content of the webpage based on these text features and filter out these reported attacking websites. However, the survival period of phishing webpages is getting shorter and shorter, new phishing webpages emerge in endlessly, and the amount of webpages that need to be reviewed is too large; and the characteristics of phishing webpages are changing rapidly. According to the traditional manual review method, the efficiency of information extraction will be relatively low. . Therefore, how to effectively detect URLs of phishing/fraudulent webpages has been a concern in the industry.

Contents of the invention

In view of the above problems, the present invention is proposed to provide a wireless terminal that overcomes the above problems or at least partly solves the above problems and a method for detecting malicious URLs through the wireless terminal.

According to one aspect of the present invention, a method for detecting a malicious website through a wireless terminal is provided, including: the wireless terminal receives a web page access request sent by the client and includes the website; the wireless terminal queries the local blacklist and /or local whitelist or query through the cloud to detect whether the URL is a malicious URL; the cloud stores a timely updated malicious URL database; The reminder interface is returned to the client.

According to another aspect of the present invention, a wireless terminal is provided, including: a receiving module, configured to receive a web page access request sent by a client and including a website address; a detection module, configured to query a local blacklist fixed in the wireless terminal And/or the local white list or query through the cloud to detect whether the website is a malicious website, and the cloud stores a timely updated malicious website library; the interface generation module is used to detect that the website is a malicious website. A malicious URL reminder interface is generated, and then the malicious URL reminder interface is returned to the client.

According to the method and wireless terminal for detecting a malicious website through a wireless terminal provided by the present invention, when the client initiates a webpage request through the wireless terminal, the wireless terminal is used to detect whether the webpage that the user wants to visit is a malicious website, and if it is detected to be malicious URL, a malicious URL reminder interface is generated and returned to the client. The client displays the malicious URL reminder interface to the user to remind the user that the currently visited webpage is a malicious webpage, thereby avoiding unnecessary losses for the user due to visiting the malicious webpage and ensuring the security of webpage access. Moreover, the main difference between the present invention and the prior art is that the malicious website detection function is completed by the wireless terminal. Under certain circumstances, the wireless terminal can know whether the webpage accessed by the user is a malicious webpage without accessing the cloud. Compared with querying in the cloud, the detection efficiency of the present invention is higher.

The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same components. In the attached picture:

FIG. 1 shows a system architecture diagram including a client, a wireless terminal and a cloud in an embodiment of the present invention;

FIG. 2 shows a flow chart of a method for detecting a malicious website through a wireless terminal according to an embodiment of the present invention;

FIG. 3 shows a flow chart of a method for detecting a malicious website through a wireless terminal according to another embodiment of the present invention;

FIG. 4 shows a schematic diagram of an example of a malicious website reminder interface in an embodiment of the present invention;

FIG. 5 shows a schematic diagram of another example of a malicious website reminder interface in an embodiment of the present invention;

Fig. 6 shows a structural block diagram of a wireless terminal according to an embodiment of the present invention.

Detailed ways

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

Fig. 1 shows a system architecture diagram including a client, a wireless terminal and a cloud in an embodiment of the present invention. As shown in Figure 1, the client 100 includes but not limited to various PCs, tablet devices, smart phones, TVs, etc., and the wireless terminal 300 can be various wireless access devices, such as wireless routers, wireless network cards, security gateways, etc. , the wireless terminal 300 has a wireless coverage function, and all clients 100 within the coverage of the wireless terminal 300 can access the cloud 200 network through the wireless terminal 300 . The present invention is based on the linkage between the cloud 200 and the wireless terminal 300 in the system framework for detecting malicious web addresses.

Fig. 2 shows a flowchart of a method for detecting malicious URLs through a wireless terminal according to an embodiment of the present invention. As shown in Figure 2, the method includes the following steps:

In step S101, the wireless terminal receives a webpage access request including a URL sent by a client.

Since the client accesses the cloud network through the wireless terminal, when the user initiates a webpage access through the client, the client generates a webpage access request and sends it to the wireless terminal. If the webpage is a normal webpage, the wireless terminal should forward the webpage access request to the cloud server.

Step S102, the wireless terminal checks whether the website is a malicious website by querying the local blacklist and/or local whitelist fixed in the wireless terminal or querying through the cloud, and if so, executes step S104; otherwise, executes step S103.

In the embodiment of the present invention, the malicious website includes but not limited to phishing website, fraudulent website, Trojan website or counterfeit website. A local blacklist and/or a local whitelist of URLs are pre-fixed in the wireless terminal. The local blacklist and/or the local whitelist may be downloaded by the wireless terminal from the cloud, and further, the wireless terminal may periodically request the cloud to update the local blacklist and/or the local whitelist.

If only the local whitelist is solidified in the wireless terminal, after the wireless terminal receives the web page access request reported by the client and extracts the website URL therefrom, it is judged whether the URL belongs to the local whitelist, and if so, it is determined that the website is a normal website. Execute step S103; if not, send the URL to the cloud for cloud query.

If only the local blacklist is solidified in the wireless terminal, after the wireless terminal receives the webpage access request reported by the client and extracts the website URL therefrom, it judges whether the URL belongs to the local blacklist, if so, then determines that the website is a malicious website, Execute step S104; if not, send the URL to the cloud for cloud query.

If the wireless terminal has a local whitelist and a local blacklist fixed in it, after the wireless terminal receives the webpage access request reported by the client and extracts the URL from it, it will judge whether the URL belongs to the local whitelist or local blacklist, if it belongs to the local whitelist, then determine that the URL is a normal URL, and execute step S103; if it belongs to the local blacklist, then determine that the URL is a malicious URL, and execute step S104; if it does not belong to the local whitelist or the local blacklist, execute the The URL is sent to the cloud for cloud query.

The main work of the cloud includes: crawling webpages by the whole web spider server cluster and receiving webpages reported by clients. The responsibilities of the whole web spider server cluster include: ① Complete the change monitoring of known active web pages, and the basis for judging active web pages is to see whether there are people using them. ② Complete the discovery of new HOST and web pages. ③The monitored change information and newly discovered web pages are pushed to the HOST\URL processing server in time. ④ The average daily monitored web pages are 20 billion, and the daily average number of newly discovered web pages is 1-2 billion. The task processing capacity of the entire cluster is of the same order of magnitude as web search services. For web pages that cannot be covered by the whole web spider server cluster, the client needs to report to solve it.

The above-mentioned server receiving the crawled webpage and the reported webpage is a HOST\URL processing server. The HOST\URL processing server has a library of malicious URLs and its management platform, and its main tasks include:

①Receive and store the website results predicted to be black by the Q3W artificial intelligence engine. The prediction method of Q3W artificial intelligence engine can be as follows: 1) Verify the authenticity (webpage snapshot): For example, the financial fraud webpage will imitate the official website in terms of text and pictures. 2) Check family background (server information): For example, if there is a malicious web page under HOST and IP, then the current web page is highly likely to be malicious. 3) Check the three generations of ancestors (ICP filing information, WHOIS information): For example, a webpage can sell air tickets, but the filing information has no ticketing business, so the possibility of fraud is very high; another example, websites under the name of the registrar often publish malicious webpages If the trust record is poor, then the new web page has a higher probability of being malicious.

②Because machine learning is basically a round every 15 minutes. False positives may be removed in the middle. At this time, the malicious URL database needs to update the records to keep it consistent with the engine's judgment.

③ Malicious website library supporting management platform, convenient for manual addition, deletion, modification, and checking of malicious websites. For web pages with false positives, it can be eliminated in time. For missed webpages, they can be forcibly stored in the library.

④ All changes in the malicious URL library are synchronized to the malicious URL cloud query engine in real time.

Cloud query refers to that the wireless terminal reports the URL to the above-mentioned malicious URL cloud query engine, and the malicious URL cloud query engine judges whether the URL belongs to the malicious URL library, and if it does, then judges that the URL is a malicious URL, and returns the judgment result to the wireless terminal.

Further, after the wireless terminal learns that a certain website URL is a malicious website through cloud query, it can add the website URL to the local blacklist, so that when a client within the wireless coverage of the wireless terminal accesses the URL again, it does not need cloud query. It can be determined that the URL is a malicious URL.

Step S103, the wireless terminal forwards the web page access request to a corresponding server.

Through the above step S102, it is determined that the website is not a malicious website, then the wireless terminal forwards the webpage access request to the corresponding server according to the existing method, and returns the webpage fed back by the server to the client, so as to realize the normal webpage access of the user.

Step S104, the wireless terminal generates a malicious website reminder interface, and returns the malicious website reminder interface to the client.

After receiving the malicious URL reminder interface, the client displays the malicious URL reminder interface to the user to remind the user that the currently visited webpage is a malicious webpage.

According to the method provided by the above-mentioned embodiments of the present invention, when the client initiates a webpage request through the wireless terminal, the wireless terminal is used to detect whether the webpage that the user wants to visit is a malicious website, and if it is detected to be a malicious website, a malicious website reminder is generated. The interface is returned to the client. The client displays the malicious URL reminder interface to the user to remind the user that the currently visited webpage is a malicious webpage, thereby avoiding unnecessary losses for the user due to visiting the malicious webpage and ensuring the security of webpage access. Moreover, the main difference between the present invention and the prior art is that the malicious website detection function is completed by the wireless terminal. Under certain circumstances, the wireless terminal can know whether the webpage accessed by the user is a malicious webpage without accessing the cloud. Compared with querying in the cloud, the detection efficiency of the present invention is higher.

Fig. 3 shows a flowchart of a method for detecting malicious URLs through a wireless terminal according to another embodiment of the present invention. As shown in Figure 3, the method includes the following steps:

In step S201, the wireless terminal receives a webpage access request including a URL sent by a client.

Since the client accesses the cloud network through the wireless terminal, when the user initiates a webpage access through the client, the client generates a webpage access request and sends it to the wireless terminal. If the webpage is a normal webpage, the wireless terminal should forward the webpage access request to the cloud server.

In step S202, the wireless terminal checks whether the website is a malicious website by querying the local blacklist and/or local whitelist fixed in the wireless terminal or querying through the cloud, and if so, executes step S204; otherwise, executes step S203. For the specific content of this step, reference may be made to the description of the foregoing embodiments, and details are not repeated here.

Step S203, the wireless terminal forwards the web page access request to the corresponding server, and the method ends.

Through the above step S202, it is determined that the website is not a malicious website, then the wireless terminal forwards the webpage access request to the corresponding server according to the existing method, and returns the webpage fed back by the server to the client, so as to realize the normal webpage access of the user.

Step S204, the wireless terminal determines the type of the client according to the information included in the web page access request for reflecting the type of the client.

In the embodiment of the present invention, the webpage access request carries information for reflecting the type of the client. Since a wireless coverage of a wireless terminal may include multiple different types of clients, for example, PCs, tablet computers, smart phones, and televisions all belong to different types. The wireless terminal can determine which type the current webpage access request belongs to according to the information for reflecting the client type carried in the webpage access request.

Optionally, the information used to reflect the type of the client may be a user agent string (User Agent), a media access control address (MAC) or a dynamic host configuration protocol (DHCP).

For example, when a user visits a website through a browser, the browser will send a UA, or User Agent, to the cloud server. It is a special string header that enables the cloud server to identify the operating system and version, CPU type, browser and version, browser rendering engine, browser language, browser plug-in, etc. used by the customer. Different browsers, different versions of the same browser, mobile phone browsers, and computer browsers have different UAs, so the wireless terminal can determine the type of the client through the UA.

Take the User Agent of IE as an example, which includes the following information:

Compatible: Compatibility flag ("compatible"), is used by the most advanced browsers. It shows that Internet browsers are compatible with a common set of functions.

Version token: The version browser and identification token contains the version number, for example Internet Explorer 7 identified by the version "MSIE7.0" token.

Platform token: The platform token identifies the user's operating system and includes a version number. For example the platform "Windows NT 6.0" token represents Windows Vista.

The MAC address is usually an EPROM (a flash memory chip that can usually be erased by a program) burned in by the client manufacturer. The MAC address is like the ID number on our ID card, which is globally unique. The client type can also be determined through the information of the manufacturer in the MAC address.

The DHCP information carries the information of the operating system of the client, and the type of the client can also be determined according to the information of the operating system.

Step S205, the wireless terminal generates a malicious website reminder interface corresponding to the type of the client.

In this embodiment, for different client types, the malicious website reminder interfaces generated by the wireless terminal are different, which is specifically related to the sizes of display screens of different types of clients. FIG. 4 shows a schematic diagram of an example of a malicious website reminder interface in an embodiment of the present invention, and FIG. 5 shows a schematic diagram of another example of a malicious website reminder interface in an embodiment of the present invention. If the type of client determined by step S204 is a smart phone, the wireless terminal generates a malicious URL prompt interface as shown in Figure 4; The malicious website alert interface shown in Figure 5. It should be noted that Fig. 4 and Fig. 5 are only two examples, and the present invention is not limited thereto.

Specifically, the wireless terminal locally stores a malicious website reminder interface template, and different types of clients may correspond to different or the same malicious website reminder interface template. The wireless terminal obtains the relevant information of the malicious website from the server, inserts the relevant information of the malicious website into the locally saved malicious website reminder interface template, and generates the malicious website reminder interface. As shown in Figure 4 and Figure 5, the information marked with "underline" is the relevant information of the malicious website obtained from the server, and the information not marked with "underline" belongs to the information of the malicious website reminder interface template. Optionally, the malicious website reminder interface template stored locally by the wireless terminal is an HTML language file, and the wireless terminal copies the obtained malicious website information to a predetermined position of the HTML language file in the form of JS code, so as to realize the above insertion process.

Step S206, the wireless terminal returns the malicious website reminder interface to the client.

After receiving the malicious URL reminder interface, the client displays the malicious URL reminder interface to the user to remind the user that the currently visited webpage is a malicious webpage.

Further, as shown in Fig. 4 and Fig. 5, a link of "install security software" may also be displayed on the malicious website alert interface. The user chooses to click the link of "Install Security Software" according to the prompt, and the client triggers sending a software installation request to the wireless terminal according to the user's clicking action. After the above step S206, the method also includes:

Step S207, the wireless terminal receives the software installation request sent by the client.

In step S208, the wireless terminal requests a software installation page or a software installation file from the server according to the type of the client, and returns the request to the client. Specifically, for a PC, the wireless terminal directly requests the server for a software installation page, such as the official website of the software, and returns the software installation page to the PC; for a smart phone or a tablet computer, the wireless terminal can directly request the server for the software installation file and then return the .

In order to further improve the malicious website detection function provided by the wireless terminal, the wireless terminal may provide the user with a setting interface for enabling/disabling the malicious website detection function. That is, the user can set whether to enable the malicious website detection function provided by the above embodiment through the setting interface. For the above method, before step S102 or step S202, the wireless terminal first determines whether to activate the malicious website detection function. If the judgment result is yes, execute the above step S102 or step S202; if the judgment result is no, then do not execute the above step S102 or step S202, and the wireless terminal forwards the information exchanged between the client and the server according to the existing method.

According to the method provided by the above-mentioned embodiments of the present invention, when the client initiates a webpage request through the wireless terminal, the wireless terminal is used to detect whether the webpage that the user wants to visit is a malicious website, and if it is detected to be a malicious website, a malicious website reminder is generated. The interface is returned to the client. The client displays the malicious URL reminder interface to the user to remind the user that the currently visited webpage is a malicious webpage, thereby avoiding unnecessary losses for the user due to visiting the malicious webpage and ensuring the security of webpage access. Moreover, the main difference between the present invention and the prior art is that the malicious website detection function is completed by the wireless terminal. Under certain circumstances, the wireless terminal can know whether the webpage accessed by the user is a malicious webpage without accessing the cloud. Compared with querying in the cloud, the detection efficiency of the present invention is higher. Moreover, the wireless terminal provides different malicious website reminder interfaces for different types of clients by determining the type of the client, so that the method is applicable to various types of clients.

Fig. 6 shows a structural block diagram of a wireless terminal according to an embodiment of the present invention. As shown in FIG. 6 , the wireless terminal includes: a receiving module 301 , a detecting module 302 , and an interface generating module 303 .

The receiving module 301 is configured to receive a webpage access request including a URL sent by a client. Since the client accesses the cloud network through the wireless terminal, when the user initiates a webpage access through the client, the client generates a webpage access request and sends it to the receiving module 301 of the wireless terminal. If the webpage is a normal webpage, the wireless terminal should The web page access request is forwarded to the cloud server.

The detection module 302 is configured to detect whether the website is a malicious website by querying the local blacklist and/or local whitelist fixed in the wireless terminal or querying through the cloud. In the embodiment of the present invention, the malicious website includes but not limited to phishing website, fraudulent website, Trojan website or counterfeit website. A local blacklist and/or a local whitelist of URLs are pre-fixed in the wireless terminal. The local blacklist and/or the local whitelist may be downloaded by the wireless terminal from the cloud, and further, the wireless terminal may periodically request the cloud to update the local blacklist and/or the local whitelist.

Further, the detection module 302 includes: a query unit 304 and a cloud query request unit 305 .

The query unit 304 is used to query the local blacklist and/or the local whitelist, and determine whether the URL belongs to the local blacklist and/or the local whitelist, and if it is determined that the URL belongs to the local blacklist, then the URL is detected as a malicious URL. If only the local whitelist is solidified in the wireless terminal, after the receiving module 301 receives the web page access request reported by the client and extracts the website URL therefrom, the query unit 304 judges whether the URL belongs to the local whitelist, and if so, then judges the website It is a normal URL; if not, the URL is sent to the cloud by the cloud query request unit 305 for cloud query. If only the local blacklist is solidified in the wireless terminal, after the receiving module 301 receives the webpage access request reported by the client and extracts the website URL therefrom, the query unit 304 judges whether the URL belongs to the local blacklist, if so, then judges the website It is a malicious URL; if not, the URL is sent to the cloud by the cloud query request unit 305 for cloud query. If a local whitelist and a local blacklist are solidified in the wireless terminal, after the receiving module 301 receives the web page access request reported by the client and extracts the website URL therefrom, the query unit 304 judges whether the URL belongs to the local whitelist and the local blacklist , if it belongs to the local whitelist, it is determined that the website is a normal website; if it belongs to the local blacklist, it is determined that the website is a malicious website; if it does not belong to the local whitelist or the local blacklist, the cloud query request unit 305 Send the URL to the cloud for cloud query.

The cloud query request unit 305 is used for detecting whether the URL is a malicious URL through cloud query when the query unit 304 determines that the URL does not belong to the local blacklist and/or does not belong to the local whitelist. The description about cloud query can refer to the method embodiment.

The interface generation module 303 is configured to generate a malicious website reminder interface when the detection module 302 detects that the website is a malicious website, and then return the malicious website reminder interface to the client.

Further, the interface generating module 303 includes: a type determining unit 306 and an interface generating unit 307 .

The type determination unit 306 is configured to determine the type of the client according to the information reflecting the type of the client. In the embodiment of the present invention, the webpage access request carries information for reflecting the type of the client. Since a wireless coverage of a wireless terminal may include multiple different types of clients, for example, PCs, tablet computers, smart phones, and televisions all belong to different types. The type determination unit 306 may determine which type the current webpage access request belongs to according to the information carried in the webpage access request and used to reflect the type of the client. Optionally, the information used to reflect the type of the client may be a user agent string (User Agent), a media access control address (MAC) or a dynamic host configuration protocol (DHCP). A description of such information can be found in the method examples.

The interface generation unit 307 is configured to generate a malicious website reminder interface corresponding to the type of the client. In this embodiment, for different client types, the malicious website reminder interfaces generated by the interface generation unit 307 are different, which is specifically related to the sizes of display screens of different types of clients. See Figure 4 and Figure 5 for details. The interface generating unit 307 is further configured to: obtain relevant information of the malicious website from the server; insert the relevant information of the malicious website into the locally saved malicious website reminder interface template to generate a malicious website reminder interface. Specifically, the wireless terminal locally stores a malicious website reminder interface template, and different types of clients may correspond to different or the same malicious website reminder interface template. The interface generation unit 307 obtains relevant information of the malicious website from the server, inserts the relevant information of the malicious website into the locally saved malicious website reminder interface template, and generates a malicious website reminder interface. As shown in Figure 4 and Figure 5, the information marked with "underline" is the relevant information of the malicious website obtained from the server, and the information not marked with "underline" belongs to the information of the malicious website reminder interface template. Optionally, the malicious website reminder interface template stored locally by the wireless terminal is an HTML language file, and the interface generation unit 307 copies the obtained malicious website information to a predetermined position of the HTML language file in the form of JS code, so as to realize the above insertion deal with.

Further, as shown in Fig. 4 and Fig. 5, a link of "install security software" may also be displayed on the malicious website alert interface. The user chooses to click the link of "Install Security Software" according to the prompt, and the client triggers sending a software installation request to the wireless terminal according to the user's clicking action. The receiving module 301 is also configured to receive a software installation request sent by the client. The wireless terminal also includes: a transmission module 308, configured to request a software installation page or a software installation file from the server according to the type of the client, and then return it to the client. Specifically, for a PC, the transmission module 308 directly requests the server for a software installation page, such as the official website of the software, and returns the software installation page to the PC; client.

In order to further improve the malicious website detection function provided by the wireless terminal, the wireless terminal further includes: a user setting interface 309 , which is an interface for enabling/disabling the malicious website detection function for the user. That is, the user can set through the user setting interface 309 whether to enable the malicious website detection function provided by the above embodiment. The detection module 302 is specifically used to detect whether the website is a malicious website when it is determined that the malicious website detection function is activated.

According to the wireless terminal provided by the above-mentioned embodiments of the present invention, when the client initiates a webpage request through the wireless terminal, the wireless terminal is used to detect whether the webpage that the user wants to visit is a malicious website, and if it is detected to be a malicious website, a malicious website is generated. The reminder interface is returned to the client. The client displays the malicious URL reminder interface to the user to remind the user that the currently visited webpage is a malicious webpage, thereby avoiding unnecessary losses for the user due to visiting the malicious webpage and ensuring the security of webpage access. Moreover, the main difference between the present invention and the prior art is that the malicious website detection function is completed by the wireless terminal. Under certain circumstances, the wireless terminal can know whether the webpage accessed by the user is a malicious webpage without accessing the cloud. Compared with querying in the cloud, the detection efficiency of the present invention is higher. Moreover, the wireless terminal provides different malicious website reminder interfaces for different types of clients by determining the type of the client, so that the method is applicable to various types of clients.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings), as well as any method or method so disclosed, may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the wireless terminal according to the embodiments of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

The invention discloses: A1. A method for detecting malicious URLs through a wireless terminal, comprising:

The wireless terminal receives the webpage access request including the URL sent by the client;

The wireless terminal detects whether the website is a malicious website by querying the local blacklist and/or local whitelist fixed in the wireless terminal or querying through the cloud; the cloud stores a timely updated malicious website library;

If the wireless terminal detects that the website is a malicious website, the wireless terminal generates a malicious website reminder interface, and then returns the malicious website reminder interface to the client.

A2. According to the method described in A1, the wireless terminal detects whether the website is a malicious website by querying the local blacklist and/or local whitelist fixed in the wireless terminal or querying through the cloud, specifically including:

The wireless terminal queries the local blacklist and/or local whitelist, and determines whether the website belongs to the local blacklist and/or local whitelist;

If the wireless terminal determines that the website belongs to the local blacklist, it detects that the website is a malicious website;

If the wireless terminal determines that the website does not belong to the local blacklist and/or does not belong to the local whitelist, it will check whether the website is a malicious website through cloud query.

A3. According to the method described in A1 or A2, the web page access request further includes information reflecting the type of the client;

The wireless terminal generating a malicious website reminder interface specifically includes: the wireless terminal determines the type of the client according to the information reflecting the type of the client; the wireless terminal generates a malicious website corresponding to the type of the client Reminder interface.

A4. According to the method described in A3, the malicious URL reminder interface generated by the wireless terminal corresponding to the type of the client specifically includes:

The wireless terminal acquires information related to malicious URLs from a server;

The wireless terminal inserts the relevant information of the malicious website into the locally saved malicious website reminder interface template to generate the malicious website reminder interface.

A5. According to the method described in A3, the information used to reflect the type of the client is a user agent character string or a media access control address or dynamic host configuration protocol information.

A6. According to the method described in A1, after the malicious URL reminder interface is returned to the client, it also includes:

The wireless terminal receives the software installation request sent by the client;

The wireless terminal requests a software installation page or a software installation file from the server according to the type of the client, and returns the request to the client.

A7. According to the method described in A1, the wireless terminal provides the user with a setting interface for enabling/closing the malicious website detection function;

Before the step of the wireless terminal detecting whether the website is a malicious website, it also includes: the wireless terminal judges whether to activate the malicious website detection function;

If yes, the wireless terminal executes the step of detecting whether the website is a malicious website.

A8. According to the method described in A1, the malicious website includes: a phishing website, a fraudulent website, a horse website or a counterfeit website.

The present invention also discloses: B9, a wireless terminal, comprising:

A receiving module, configured to receive a web page access request sent by the client and including a URL;

The detection module is used to detect whether the website is a malicious website by querying the local blacklist and/or local whitelist fixed in the wireless terminal or querying through the cloud; the cloud stores a timely updated malicious website library;

The interface generation module is configured to generate a malicious website reminder interface when the detection module detects that the website is a malicious website, and then return the malicious website reminder interface to the client.

B10. According to the wireless terminal described in B9, the detection module includes:

a query unit, configured to query the local blacklist and/or the local whitelist, and determine whether the URL belongs to the local blacklist and/or the local whitelist; if it is determined that the URL belongs to the local blacklist, then It is detected that the URL is a malicious URL;

The cloud query request unit is configured to detect whether the website is a malicious website through cloud query when the query unit determines that the website does not belong to the local blacklist and/or does not belong to the local whitelist.

B11. According to the wireless terminal described in B9 or B10, the web page access request also includes information for reflecting the client type;

The interface generation module includes:

a type determining unit, configured to determine the type of the client according to the information reflecting the type of the client;

An interface generation unit, configured to generate a malicious URL reminder interface corresponding to the type of the client.

B12. According to the wireless terminal described in B11, the interface generating unit is specifically used to: obtain relevant information of malicious URLs from a server; insert the relevant information of the malicious URLs into the locally saved malicious URL reminder interface template, and generate the relevant information of the malicious URLs The above malicious URL reminder interface.

B13. According to the wireless terminal described in B9, the receiving module is further configured to receive a software installation request sent by the client;

The wireless terminal further includes: a transmission module, configured to request a software installation page or a software installation file from the server according to the type of the client and return it to the client.

B14. The wireless terminal according to B9, further comprising: a user setting interface, which is an interface for providing a user with a function of enabling/disabling malicious website detection;

The detection module is specifically used to detect whether the website is a malicious website when it is determined that the malicious website detection function is activated.

Claims (10)

1. A method for detecting a malicious website through a wireless terminal, comprising: The wireless terminal receives the webpage access request including the URL sent by the client; The wireless terminal detects whether the website is a malicious website by querying the local blacklist and/or local whitelist fixed in the wireless terminal or querying through the cloud; the cloud stores a timely updated malicious website library; If the wireless terminal detects that the website is a malicious website, the wireless terminal generates a malicious website reminder interface, and then returns the malicious website reminder interface to the client. 2. The method according to claim 1, wherein the wireless terminal detects whether the website is a malicious website by querying the local blacklist and/or local whitelist fixed in the wireless terminal or querying through the cloud, specifically comprising: The wireless terminal queries the local blacklist and/or local whitelist, and determines whether the website belongs to the local blacklist and/or local whitelist; If the wireless terminal determines that the website belongs to the local blacklist, it detects that the website is a malicious website; If the wireless terminal determines that the website does not belong to the local blacklist and/or does not belong to the local whitelist, it will check whether the website is a malicious website through cloud query. 3. The method according to claim 1 or 2, wherein the web page access request further includes information reflecting the client type; The wireless terminal generating a malicious website reminder interface specifically includes: the wireless terminal determines the type of the client according to the information reflecting the type of the client; the wireless terminal generates a malicious website corresponding to the type of the client Reminder interface. 4. The method according to claim 3, wherein said wireless terminal generating a malicious URL reminder interface corresponding to the type of said client specifically includes: The wireless terminal acquires information related to malicious URLs from a server; The wireless terminal inserts the relevant information of the malicious website into the locally saved malicious website reminder interface template to generate the malicious website reminder interface. 5. The method according to claim 3, wherein the information for reflecting the type of the client is a user agent character string or a media access control address or dynamic host configuration protocol information. 6. The method according to claim 1, after the malicious URL reminder interface is returned to the client, further comprising: The wireless terminal receives the software installation request sent by the client; The wireless terminal requests a software installation page or a software installation file from the server according to the type of the client, and returns the request to the client. 7. The method according to claim 1, wherein the wireless terminal provides the user with a setting interface for enabling/disabling the malicious website detection function; Before the step of the wireless terminal detecting whether the website is a malicious website, it also includes: the wireless terminal judges whether to activate the malicious website detection function; If yes, the wireless terminal executes the step of detecting whether the website is a malicious website. 8. The method according to claim 1, wherein the malicious website includes: a phishing website, a fraudulent website, a Trojan website or a counterfeit website. 9. A wireless terminal, comprising: A receiving module, configured to receive a web page access request sent by the client and including a URL; The detection module is used to detect whether the website is a malicious website by querying the local blacklist and/or local whitelist fixed in the wireless terminal or querying through the cloud; the cloud stores a timely updated malicious website library; The interface generation module is configured to generate a malicious website reminder interface when the detection module detects that the website is a malicious website, and then return the malicious website reminder interface to the client. 10. The wireless terminal according to claim 9, the detection module comprising: a query unit, configured to query the local blacklist and/or the local whitelist, and determine whether the URL belongs to the local blacklist and/or the local whitelist; if it is determined that the URL belongs to the local blacklist, then It is detected that the URL is a malicious URL; The cloud query request unit is configured to detect whether the website is a malicious website through cloud query when the query unit determines that the website does not belong to the local blacklist and/or does not belong to the local whitelist.

Images